You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@kafka.apache.org by sai chandra mouli <ts...@gmail.com> on 2021/11/25 05:03:41 UTC

TLS certificate error with PEM AND KAFKA

Hello community,
I intend to use Kafka and zookeeper with PEM certificates for SSL/TLS on my
system. But when I try to use the encrypted Private key and the certificate
created using openssl rsa I get error messages saying "*DER Input Integer
Tag error"* and "
*Caused by: org.apache.kafka.common.errors.InvalidConfigurationException:
Invalid PEM keystore configsCaused by:
java.security.NoSuchAlgorithmException: 1.2.840.113549.1.5.13
SecretKeyFactory not available*
".

On browsing the internet, I found out that the private keys created using
openssl are of PKCS#1 format. A blog on the internet  (
*https://codingharbour.com/apache-kafka/using-pem-certificates-with-apache-kafka/#3-providing-certificates-as-files
<https://codingharbour.com/apache-kafka/using-pem-certificates-with-apache-kafka/#3-providing-certificates-as-files>
*
) has achieved usage of PEM files by converting the private key from PKCS#1
format to PKCS#8 format . Even in PKCS#8 format latest and strong
encryption algorithms (-v2 algorithms of pkcs#8) are throwing errors but
downgrading the encryption algorithm of PKCS#8 to pbe-sha1-rc4-128  (-v1)
only works. But both sha1 and rc4 are very weak and are not strong enough
for present day usage.

Can anyone please suggest a measure to use the latest encryption algorithms
in PEM files that Kafka currently supports?

I am attaching the log file  of the kafka for reference. In case of any
more logs or information  needed, please feel free to message me. Hoping
for a solution..Thank you for your time

Regards,
Sai Chandra Mouli T

Re: TLS certificate error with PEM AND KAFKA

Posted by Luke Chen <sh...@gmail.com>.

Hi Sai Chandra Mouli T,
Glad you found out the PKCS#8  pbe-sha1-rc4-128  (-v1) works well.
In Kafka's unit test, we use the algorithm:
pbeWithSHA1And3-KeyTripleDES-CBC (v1) to encrypt the key to do test.

Actually, the v1/v2 means the algorithm in PCKS#5 v1/v2 (check here:
https://www.openssl.org/docs/man1.1.1/man1/pkcs8.html ).

I checked the PCKS#5 version 2 spec:
https://datatracker.ietf.org/doc/html/rfc2898#section-6.2 , it said the v2
supported algorithm is "PBES2".
If you check the sunJCE.java in openJDK source code:
https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
, you'll find the number in your error message: *1.2.840.113549.1.5.13
SecretKeyFactory not available, *and the it maps to "OID_PKCS5_PBES2" name.
That is the new algorithm for PCKS#5 v2: "PBES2".
Unfortunately, it is not supported in "SecretKeyFactory" engine.
You can check the java documentation for the list of supported
cipher/algorithms here:
https://docs.oracle.com/javase/9/security/oracleproviders.htm#JSSEC-GUID-A47B1249-593C-4C38-A0D0-68FA7681E0A7
, and it confirms that the "PBES2" algorithm doesn't support for
"SecretKeyFactory" engine.

So, before java have any update, we can only stick to the PCKS#5 v1
encryption in PKCS#8's key.

That's all I know. FYI.

Thank you.
Luke

On Thu, Nov 25, 2021 at 1:04 PM sai chandra mouli <ts...@gmail.com>
wrote:

> Hello community,
> I intend to use Kafka and zookeeper with PEM certificates for SSL/TLS on
> my system. But when I try to use the encrypted Private key and the
> certificate created using openssl rsa I get error messages saying "*DER
> Input Integer Tag error"* and "
> *Caused by: org.apache.kafka.common.errors.InvalidConfigurationException:
> Invalid PEM keystore configsCaused by:
> java.security.NoSuchAlgorithmException: 1.2.840.113549.1.5.13
> SecretKeyFactory not available*
> ".
>
> On browsing the internet, I found out that the private keys created using
> openssl are of PKCS#1 format. A blog on the internet  ( *https://codingharbour.com/apache-kafka/using-pem-certificates-with-apache-kafka/#3-providing-certificates-as-files
> <https://codingharbour.com/apache-kafka/using-pem-certificates-with-apache-kafka/#3-providing-certificates-as-files> *
> ) has achieved usage of PEM files by converting the private key from PKCS#1
> format to PKCS#8 format . Even in PKCS#8 format latest and strong
> encryption algorithms (-v2 algorithms of pkcs#8) are throwing errors but
> downgrading the encryption algorithm of PKCS#8 to pbe-sha1-rc4-128  (-v1)
> only works. But both sha1 and rc4 are very weak and are not strong enough
> for present day usage.
>
> Can anyone please suggest a measure to use the latest encryption
> algorithms in PEM files that Kafka currently supports?
>
> I am attaching the log file  of the kafka for reference. In case of any
> more logs or information  needed, please feel free to message me. Hoping
> for a solution..Thank you for your time
>
> Regards,
> Sai Chandra Mouli T
>